{"id":51462,"date":"2024-06-13T10:25:40","date_gmt":"2024-06-13T14:25:40","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51462"},"modified":"2024-06-13T10:25:40","modified_gmt":"2024-06-13T14:25:40","slug":"shrinklocker-ransomware-encrypts-with-bitlocker","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/shrinklocker-ransomware-encrypts-with-bitlocker\/51462\/","title":{"rendered":"ShrinkLocker ransomware employing BitLocker for encryption"},"content":{"rendered":"

While investigating a cybersecurity incident, Kaspersky\u2019s experts discovered new ransomware they\u2019ve dubbed \u201cShrinkLocker\u201d. An interesting feature of this malware is that its creators artfully use the built-in capabilities of Windows to lock down computers the malware has infected. In particular, ShrinkLocker uses the standard full-disc encryption utility BitLocker to block access to the data.<\/p>\n

What makes ShrinkLocker dangerous?<\/h2>\n

Like most ransomware today, ShrinkLocker encrypts the victim\u2019s local drives to block access to their contents. What it essentially does is activate a standard security feature \u2014 BitLocker.<\/p>\n

ShrinkLocker shrinks the computer\u2019s drive partitions by 100 megabytes \u2014 hence its name \u2014 and uses the freed-up space to create a boot partition for itself. While it\u2019s at it, it disables every BitLocker key-recovery mechanism, and sends the key that was used for the drives\u2019 encryption to the attacker\u2019s server.<\/p>\n

After the user restarts the computer, they\u2019re presented with the standard BitLocker password prompt. Since the user is now unable to start the system, ShrinkLocker changes the labels of all system drives to the attacker\u2019s email address instead of leaving a ransom note.<\/p>\n

How ShrinkLocker works<\/h2>\n

ShrinkLocker is implemented as a complex VBScript. It starts by gathering information about the operating system \u2014 primarily, its version. If the script finds that it\u2019s running on Windows 2000, XP, 2003, or Vista, it shuts down. For newer editions of Windows, it runs parts of its code that are optimized for the relevant operating system.<\/p>\n

Next, it runs preparatory operations on the local drives as mentioned above, and modifies several registry keys to configure the system for running BitLocker smoothly with the settings that the attacker requires.<\/p>\n

\"ShrinkLocker<\/a>

ShrinkLocker writes the attacker\u2019s email address to the volume label<\/p><\/div>\n

Then it disables and removes all default BitLocker protectors to prevent key recovery, and enables the numerical password-protector option.<\/p>\n

The script then generates this password and initiates encryption of all local drives using the newly created password. After this, ShrinkLocker sends an HTTP POST request containing the password and system information to the attacker\u2019s command-and-control server.<\/p>\n

To mask the actual server address, the threat actor uses several trycloudflare.com subdomains. This is a legitimate domain owned by CloudFlare and designed for website developers to test website traffic tunneling capabilities.<\/p>\n

In its final stages, ShrinkLocker covers its tracks by removing its files from the drive, clearing Windows PowerShell logs, and so on. Finally, the script restarts the system.<\/p>\n

If the user tries choosing a recovery option while the machine is booting up, they get a message stating that no BitLocker recovery options are available.<\/p>\n

\"ShrinkLocker<\/a>

ShrinkLocker has blocked access to the drive with BitLocker, and no recovery options are available<\/p><\/div>\n

Regarding the geographical distribution of infections, our researchers have observed ShrinkLocker and its modifications in Indonesia, Jordan, and Mexico. You can find more details about the ShrinkLocker modus operandi in our report on Securelist<\/a>.<\/p>\n

How to protect yourself from ShrinkLocker<\/h2>\n

Here are some tips for how to protect against ShrinkLocker and other ransomware threats:<\/p>\n